ExpressVPN's Privacy Protections Tested in 2 New Audits by KPMG & Cure53
Published on October 27, 2022
For several years now, cybersecurity-focused corporations have been acquiring VPN companies and their brands quite aggressively, absorbing and merging their digital services. The last major acquisition happened in September 2021, when ExpressVPN became part of Kape Technologies. Naturally, that latest development raised many questions regarding ExpressVPN’s decision to go from being an independent to a corporation-owned VPN service.
With that said, no matter if you're an ExpressVPN subscriber or if you're looking to become one, you'll want to know what this VPN's recent transition means. That’s precisely why our team approached ExpressVPN and spoke with Harold Li, ExpressVPN’s Vice President, in an effort to clear any doubts regarding whether this VPN is still a trustworthy option.
Just below, you'll find our full interview with Harold Li, who agreed to answer our questions on Kape Technologies' acquisition of ExpressVPN, how that affects the VPN's users and customers, whether we can expect a privacy policy change, and more.
TechNadu: Will ExpressVPN continue to operate as an independent company under Kape Technologies? In other words, will ExpressVPN remain owned by Express VPN International Ltd., which I assume will become a subsidiary of Kape Technologies? Is Kape Technologies a subsidiary of a different company?
Harold Li: ExpressVPN will continue to operate as a separate business, led by its co-founders, and be operated as a subsidiary of Kape Technologies that is separate from other existing Kape brands and subsidiaries. Kape Technologies is a publicly-traded company, not a subsidiary of any other company.
TechNadu: Will there be any changes to ExpressVPN’s jurisdiction? Will the VPN remain registered in Tortola, the British Virgin Islands?
Harold Li: ExpressVPN will still be operated via a BVI company and subject to BVI law.
TechNadu: Kape Technologies is under the jurisdiction of the United Kingdom? If any authority via legal and bounding measures asks ExpressVPN to track and collect information about a specific individual via Kape Technologies, how will ExpressVPN respond? The jurisdiction of the parent company comes before the jurisdiction of its subsidiaries?
Harold Li: Kape Technologies PLC is incorporated in the Isle of Man and listed on the London Stock Exchange. When it comes to authorities' requests, they are based on the jurisdiction for the VPN service the customer has chosen and will be BVI in our case.
TechNadu: Will ExpressVPN remain completely independent in relation to other VPNs owned by Kape Technologies, such as CyberGhost VPN, Private Internet Access, and other VPNs? Will there be any technology or personnel exchange?
Harold Li: ExpressVPN will remain a separate service from the other Kape brands, which means for us it is business-as-usual operationally.
In terms of exchanging technology, ExpressVPN will continue to be a premium product and maintain its lead position in the marketplace. ExpressVPN will continue to operate separately from other Kape brands, with its own team and product offering, since our user segment differs from that of other Kape-owned brands. The portfolio won’t be rolled together to create identical technologies with different skins.
TechNadu: Crossrider, Kape Technologies' predecessor, has been linked to several malware strains, some of which remain active. Can you explain Crossrider's link to malware? Is the past of Kape Technologies something that should concern existing and future ExpressVPN subscribers?
Harold Li: Crossrider was never involved in developing malware. Instead, it was a development platform used by tens of thousands of independent developers to easily create browser extensions. As with many open platforms, some users wielded the technology in negative ways. Unfortunately, because extensions developed using the platform typically appeared linked to Crossrider in one way or another (signing, shared libraries, etc.), some of these extensions ended up misattributed to Crossrider itself, including by automated adware and malware scanning and removal tools.
As Brian Krebs of Krebs on Security noted at the time, a few rogue developers was not a reason to "cause alarm about legitimate development platforms like Crossrider."
Nonetheless, Crossrider has long been shut down; its co-founders, entire C-suite, and most of its original team are no longer with the company; and Kape’s revenue (as anyone can see in public filings) comes 100% from subscription services or online content publishing.
TechNadu: Kape Technologies owns Webselenese, a company that operates several VPN review websites. After the acquisition took place in March 2021, we’ve seen a shift on those sites, now advertising Kape’s VPNs primarily (while claiming to be unbiased)? What are ExpressVPN’s comments on that?
Harold Li: We understand the important role that tech reviewers play in helping people make informed choices, and hence the importance of editorial independence so consumers can trust what they’re reading.
The review sites owned by Kape subsidiary Webselenese (primarily vpnMentor and WizCase) have publicly stated that they continue to maintain their impartial editorial standards and have been committed to doing so. We’d also note that 5-star ratings of ExpressVPN, Private Internet Access, and CyberGhost predate Kape’s acquisition of Webselenese, and ExpressVPN’s top ranking also predates any deal discussions between Kape and ExpressVPN. You’ll also see that the reviews of Kape-owned Zenmate on vpnMentor (ranked 36th) and WizCase (ranked 8th) are average at best.
Our main focus as ExpressVPN is on delivering the best possible products and services for our users and continuing to prove we provide the best privacy and security service for people everywhere.
TechNadu: Both CyberGhost VPN and PIA (owned by Kape) have started to expand by including an antivirus (supplied by Intego, another Kape-owned company). Can we expect that to happen to ExpressVPN as well, in the future? What’s ExpressVPN's stance on expanding to other cybersec-related domains?
Harold Li: As a separate business, ExpressVPN will continue to have its own product roadmap, although of course, we may draw on Kape’s resources and insights. Broadly speaking, we look forward to continuing to innovate and providing users with protection from a wider range of threats, but at the moment we don’t have specifics about our technology and product roadmap to share today - stay tuned!
TechNadu: How does ExpressVPN plan to strengthen its position and brand image? Via additional audits? When can we expect another audit? Will it be performed by a previously known partner (such as Cure53 or PwC)?
Harold Li: Yes, we will continue to prove our commitment to privacy and security with more regular audits. We've always led the industry in transparency through audits, and we're going to continue doing so. The next audit is likely to be publicly published early next year.
TechNadu: Does ExpressVPN plan to open-source its software, following the footprints of Private Internet Access and other VPN services?
Harold Li: We have launched many trust and transparency initiatives - publishing multiple third-party audits, open-sourcing Lightway, launching the VPN Trust Initiative, just to name a few - and these will continue when we join Kape Technologies. We don’t have specific plans to share today, but stay tuned!
TechNadu: Does ExpressVPN plan to remain a part of the VPN Trust Initiative and ioXt Alliance? Due to the recent changes, does ExpressVPN plan to re-apply for ioXt certification?
Harold Li: Yes, ExpressVPN remains a part of the VPN Trust Initiative and ioXt Alliance. Our ioXt certification was recently renewed in September 2021.
TechNadu: In September 2021, reports started circulating regarding Daniel Gericke (ExpressVPN’s CIO), and his role of being an intelligence operative for the UAE. With that said, do you believe that ExpressVPN owes a more extensive transparency report on Gericke’s involvement with the VPN?
Harold Li: You may find our full statement on this on our blog, along with an additional post that details Gericke’s involvement in our company and how that further strengthened the security of our systems and products in many ways, direct and indirect.
TechNadu: Is there a reason why ExpressVPN decided not to inform its subscribers about Gericke’s involvement on time, once he became ExpressVPN’s CIO?
Harold Li: We don’t typically have appointment announcements. That said, Daniel Gericke’s role at ExpressVPN was public information, available on websites including LinkedIn.
TechNadu: Is Gericke still employed by ExpressVPN? Is he still ExpressVPN’s CIO?
Harold Li: Yes, Gericke is still part of the ExpressVPN team and continues his work helping to enhance our service’s privacy and security protections. We’d also note that as TechRadar rightly pointed out, "cybersecurity companies often hire former military officers and intelligence experts." Gericke’s experience and expertise offer insights into defense that are difficult, if not impossible, to come by elsewhere, helping to ensure we can best protect users from a wide range of adversaries.
TechNadu: Just recently, Edward Snowden, perhaps the most prominent advocate for online privacy, explicitly advised against using ExpressVPN. What are ExpressVPN’s comments on that?
Harold Li: The Snowden tweet definitely went far and wide, but it wasn’t based on a deep understanding of the facts of the situation, so we were disappointed to see that kind of tweet from Snowden.
We also provided additional clarifications and statements published in this piece of follow-up coverage on the news around the DPA.
TechNadu: What would your message be to any concerned ExpressVPN subscriber who might be thinking of switching to an alternative VPN right now? Should we still trust ExpressVPN, and why?
Harold Li: We've been a top consumer pick for a long time due to our leading technology, service, and brand - and we will continue to work to maintain that position. We know that users turn to us because we’re not just at the forefront of privacy- and security-protecting policies and practices but also a clear leader in proving those commitments through independent audits, third-party penetration tests, and privacy-preserving technological innovation. At the end of the day, that concrete evidence is what counts.
We have long been industry leaders in multiple areas such as:
We’re going to continue to advance the state of privacy and security technology with Kape’s backing, and continue to evolve our product offering to meet the greater digital safety needs of consumers. In fact, we will have new features and audits to announce soon, including an annual audit to re-certify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs - we look forward to sharing more soon!
What’s your opinion about ExpressVPN after having read TechNadu's interview with the VPN's Vice President? Let us know your thoughts via the comments section below. And lastly, thank you for visiting TechNadu!